Splunk, profile picture
Uploaded bySplunk
705 views

Splunk für Security

The document presents an overview of cyber security best practices, highlighting the inadequacy of traditional defenses against evolving threats and the importance of data-driven security solutions like Splunk. It discusses various use cases for security monitoring and incident response, emphasizing the integration of extensive machine data sources. The presentation also addresses the effectiveness of Splunk in complementing existing security infrastructure and its recognition as a leader in the security information and event management landscape.

Embed presentation

Copyright © 2017 Splunk Inc. Splunk für Security Best Practices für Ihre Security Strategie Udo Götzen, CISSP Sr. Sales Engineer
2 Agenda • Cyber Security Landscape (2m) • Splunk’s Data Driven Security Offering (10m) • Demo Time (Rest) • Next Steps / Q&A
3 3 TRADITIONAL DEFENSES ARE NO LONGER EFFICENT ENOUGH
The Ever-Changing Threat Landscape 53% Victims notified by external entity 100% Valid credentials were used 229 Median # of days before detection Source: Mandiant M-Trends Report 2012-2016
Source: Verizon DBR Attacks often start with an email: 50%CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR 23%OF RECIPENTS OPEN PHISHING MESSAGES 11%OF RECIPENTS CLICK ON ATTACHMENTS
6 True Story: State of Michigan (SOM) – User account spoofing • Phishing Mail: Mailbox reached storage limit... • Outlook Web Access Portal custom design of SOM was rebuilt by attacker • Provide E-Mail, Username, Password and Date of Birth... To how many Users was the mail delivered? How many clicked? How many filled out? • Delivered to 2800 Employees before being blocked • 155 Employees clicked the link • 144 Employees provided their credentials Source: GISEC 2015 Key Note – Ex CSO Dan Lohrmann
Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMBD Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Authentication All Machine Data is Security Relevant Traditional SIEM
Structured RDBMS SQL Search Schema at Write Schema at Read Traditional Splunk Splunk Approach to Machine Data Copyright © 2014 Splunk Inc. ETL Universal Indexing Volume Velocity Variety Unstructured
9 Turning Machine Data Into Business Value Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance and Fraud IT Operations Business Analytics Internet of Things and Industrial Data
SECURITY USE CASES In SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS MONITORING OF UNKNOWN, ADVANCED THREATS INCIDENT INVESTIGATIONS & FORENSICS INSIDER THREAT Splunk Can Complement OR Replace an Existing SIEM INSIDER THREAT
11 Products for Security and Compliance Splunk Enterprise Security 390+ Security Apps Splunk User Behavior Analytics Palo Alto Networks FireEye Symantec DShield DNS OSSEC NetFlow Logic Cisco Security Suite F5 Security PCI Compliance Active Directory Blue Coat Proxy SG
COLLECT STORE AD-HOC SEARCH REPORT INVESTIGATE CORRELATION INCIDENT RESPONSE MANAGEMENT SECURITY OPERATIONS DASHBOARDS MACHINE LEARNING HIDDEN THREATS ANOMALIES BEHAVIOR ANALYSIS PEER GROUP ANALYSIS VISUALIZE INDEX LOG PRE-BUILT & NEW CONTENT DETECT UNKNOWN THREATS
13 API SDKs UI Network Traffic Analysis Identity & Access Control Perimeter Defense Email Payload Analysis Endpoint Behavior Analysis Endpoint Change Tracking DLP Security Analytics Threat Intelligence Cloud Security Security & Compliance Landscape
Splunk Core ZeuS Live Demo
15 APT Transaction Flow Across Data Sources http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web Data Sources .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment
Enterprise Security ZeuS Live Demo
What is Enterprise Security? 1 A collection of Frameworks Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response
18 Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant for Security Information and Event Management* *Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and CriticalCapabilities for Security Informationand Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is availableupon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Four Years in a Row as a Leader Furthest overall in Completeness of Vision Splunk also scores highest in 2016 Critical Capabilities for SIEM report in all three Use Cases
Splunk and the SANS CIS Critical Security Controls The CIS Critical Security Controls (CSC) are a time-proven, prioritized, “what works” list of 20 controls that can be used to minimize security risks to enterprise systems and the critical data they maintain. These controls are derived from and “cross-walked” to controls in NIST Special Publication 800-53. They are also known as the Consensus Audit Guidelines (CAG). Formerly managed by SANS and the Council on CyberSecurity, the CIS CSC are currently governed by the Center for Internet Security (CIS) and are considered the “de facto yardstick by which corporate security programs can be measured,” according to the Cybersecurity Law Institute. Read the e-book: http://www.splunk.com/web_assets/pdfs/secure/Splunk-and-the-SANS-Top-20-Critical-Security-Controls.pdf Download the free App: https://splunkbase.splunk.com/app/3064/
Splunk Security Essentials App Over 50 Search examples for use cases off the following domains: • Access Domain • Data Domain • Network Domain • Threat Domain • Endpoint Domain • Data Sources Used Download the free App: https://splunkbase.splunk.com/app/3435/
Source: Verizon DBR IF IT HAPPENS TODAY? HOW LONG DOES IT TAKE YOU TO ANSWER UPCOMING QUESTIONS? 50%CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR
22 Next Step: Discovery Workshop What’s your Security Use Case? • Cost justification against your management • Success measurement • Prioritization • Scoping of data sources / data volume / costs • Establishing organizational processes • Data privacy justification
Explore: How Travis Perkins built a SOC in the Cloud http://blogs.splunk.com/2016/09/14/trust- and-resilience-at-the-speed-of-business- how-travis-perkins-built-a-lean-soc-with- splunk-in-the-cloud/ Join: Our Community with Apps, Ask Questions or join a SplunkLive! event https://www.splunk.com/en_us/community.html Try: Splunk Enterprise Security in our Sandbox with 50+ Data Sources https://www.splunk.com/getsplunk/es_sandbox Q&A Thank you

More Related Content

PPTX
Data Obfuscation in Splunk Enterprise
bySplunk
 
PPTX
Splunk for Enterprise Security Featuring User Behavior Analytics
bySplunk
 
PDF
SplunkSummit 2015 - Splunk User Behavioral Analytics
bySplunk
 
PPTX
Splunk for Enterprise Security featuring User Behavior Analytics
bySplunk
 
PPTX
Splunk for Enterprise Security Featuring UBA
bySplunk
 
PPTX
Splunk for Security - Hands-On
bySplunk
 
PPTX
Gov & Education Day 2015 - User Behavior Analytics
bySplunk
 
PDF
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
bySplunk
 
Data Obfuscation in Splunk Enterprise
bySplunk
 
Splunk for Enterprise Security Featuring User Behavior Analytics
bySplunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
bySplunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
bySplunk
 
Splunk for Enterprise Security Featuring UBA
bySplunk
 
Splunk for Security - Hands-On
bySplunk
 
Gov & Education Day 2015 - User Behavior Analytics
bySplunk
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
bySplunk
 

What's hot

PDF
Republic Services Customer Presentation
bySplunk
 
PPTX
Getting Started with Splunk Enterprise Hands-On
bySplunk
 
PPTX
SplunkLive! Utrecht - Splunk for Security - Monzy Merza
bySplunk
 
PPTX
Splunk for Enterprise Security featuring User Behavior Analytics
bySplunk
 
PPTX
Operational Security
bySplunk
 
PPTX
Operational Security Intelligence Breakout Session
bySplunk
 
PPTX
PPT-Splunk-LegacySIEM-101_FINAL
byRisi Avila
 
PPTX
Splunk for Enterprise Security featuring UBA Breakout Session
bySplunk
 
PPTX
Hands-On Security Breakout Session- Disrupting the Kill Chain
bySplunk
 
PPTX
Splunk Discovery: Warsaw 2018 - Reimagining IT with Service Intelligence
bySplunk
 
PPTX
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
bySplunk
 
PPTX
Splunk for Enterprise Security and User Behavior Analytics
bySplunk
 
PPTX
Best Practices For Sharing Data Across The Enteprrise
bySplunk
 
PPTX
Enterprise Sec + User Bahavior Analytics
bySplunk
 
PDF
SplunkLive! München 2016 - Splunk für Security
bySplunk
 
PPTX
SplunkLive! - Splunk for Security
bySplunk
 
PPTX
Enterprise Security and User Behavior Analytics
bySplunk
 
PPTX
Splunk for Security-Hands On
bySplunk
 
PPTX
Splunk Enterprise Security
bySplunk
 
PPTX
Building a Security Information and Event Management platform at Travis Per...
bySplunk
 
Republic Services Customer Presentation
bySplunk
 
Getting Started with Splunk Enterprise Hands-On
bySplunk
 
SplunkLive! Utrecht - Splunk for Security - Monzy Merza
bySplunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
bySplunk
 
Operational Security
bySplunk
 
Operational Security Intelligence Breakout Session
bySplunk
 
PPT-Splunk-LegacySIEM-101_FINAL
byRisi Avila
 
Splunk for Enterprise Security featuring UBA Breakout Session
bySplunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
bySplunk
 
Splunk Discovery: Warsaw 2018 - Reimagining IT with Service Intelligence
bySplunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
bySplunk
 
Splunk for Enterprise Security and User Behavior Analytics
bySplunk
 
Best Practices For Sharing Data Across The Enteprrise
bySplunk
 
Enterprise Sec + User Bahavior Analytics
bySplunk
 
SplunkLive! München 2016 - Splunk für Security
bySplunk
 
SplunkLive! - Splunk for Security
bySplunk
 
Enterprise Security and User Behavior Analytics
bySplunk
 
Splunk for Security-Hands On
bySplunk
 
Splunk Enterprise Security
bySplunk
 
Building a Security Information and Event Management platform at Travis Per...
bySplunk
 

Viewers also liked

PPTX
Splunk Überblick
bySplunk
 
PPTX
Getting Started Getting Started With Splunk Enterprise
bySplunk
 
PPTX
Power of SPL - Search Processing Language
bySplunk
 
PPTX
Splunk Technologie Add-ons und Alert Actions entwickeln
bySplunk
 
PPTX
Splunk Stream - Einblicke in Netzwerk Traffic
bySplunk
 
PPTX
Daten getriebene Service Intelligence mit Splunk ITSI
bySplunk
 
PPTX
Machine Learning
bySplunk
 
PDF
Discovery Day Milano 2017
bySplunk
 
PPTX
SplunkLive! Frankfurt 2017 - MediaMarktSaturn
bySplunk
 
PDF
UX, ethnography and possibilities: for Libraries, Museums and Archives
byNed Potter
 
PDF
Designing Teams for Emerging Challenges
byAaron Irizarry
 
PDF
Splunk at Banco Popolare de Sondrio
bySplunk
 
PDF
Visual Design with Data
bySeth Familian
 
PDF
3 Things Every Sales Team Needs to Be Thinking About in 2017
byDrift
 
PDF
How to Become a Thought Leader in Your Niche
byLeslie Samuel
 
PDF
SplunkLive! Frankfurt 2017 - DB Cargo
bySplunk
 
PDF
R, Spark, Tensorflow, H20.ai Applied to Streaming Analytics
byKai Wähner
 
PPTX
SplunkLive! Frankfurt 2017 - Markant
bySplunk
 
PPTX
Splunk Discovery Day Hamburg - Data Driven Insights
bySplunk
 
PPTX
Splunk Discovery Day Hamburg - Security Session
bySplunk
 
Splunk Überblick
bySplunk
 
Getting Started Getting Started With Splunk Enterprise
bySplunk
 
Power of SPL - Search Processing Language
bySplunk
 
Splunk Technologie Add-ons und Alert Actions entwickeln
bySplunk
 
Splunk Stream - Einblicke in Netzwerk Traffic
bySplunk
 
Daten getriebene Service Intelligence mit Splunk ITSI
bySplunk
 
Machine Learning
bySplunk
 
Discovery Day Milano 2017
bySplunk
 
SplunkLive! Frankfurt 2017 - MediaMarktSaturn
bySplunk
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
byNed Potter
 
Designing Teams for Emerging Challenges
byAaron Irizarry
 
Splunk at Banco Popolare de Sondrio
bySplunk
 
Visual Design with Data
bySeth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
byDrift
 
How to Become a Thought Leader in Your Niche
byLeslie Samuel
 
SplunkLive! Frankfurt 2017 - DB Cargo
bySplunk
 
R, Spark, Tensorflow, H20.ai Applied to Streaming Analytics
byKai Wähner
 
SplunkLive! Frankfurt 2017 - Markant
bySplunk
 
Splunk Discovery Day Hamburg - Data Driven Insights
bySplunk
 
Splunk Discovery Day Hamburg - Security Session
bySplunk
 

Similar to Splunk für Security

PPTX
Splunk for Security Breakout Session
bySplunk
 
PPTX
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
bySplunk
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PDF
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
bySplunk
 
PPTX
Learn how to use an Analytics-Driven SIEM for your Security Operations
bySplunk
 
PPTX
Build a Security Portfolio That Strengthens Your Security Posture
bySplunk
 
PPTX
Threat Hunting
bySplunk
 
PPTX
Make Your SOC Work Smarter, Not Harder
bySplunk
 
PPTX
Operationalizing Security Intelligence
bySplunk
 
PPTX
Splunk Discovery Day Dubai 2017 - Security Keynote
bySplunk
 
PDF
Webinar: Neues zur Splunk App for Enterprise Security
byGeorg Knon
 
PPTX
.conf Go Zurich 2022 - Security Session
bySplunk
 
PPTX
Security crawl walk run presentation mckay v1 2017
byAdam Tice
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PPTX
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
bySplunk
 
PPTX
Splunk EMEA Webinar: Scoping infections and disrupting breaches
bySplunk
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PDF
Analytics Driven SIEM Workshop
bySplunk
 
PPTX
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
byRene Aguero
 
PDF
SplunkLive Wellington 2015 - Splunk for Security
bySplunk
 
Splunk for Security Breakout Session
bySplunk
 
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
bySplunk
 
Threat Hunting with Splunk
bySplunk
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
bySplunk
 
Learn how to use an Analytics-Driven SIEM for your Security Operations
bySplunk
 
Build a Security Portfolio That Strengthens Your Security Posture
bySplunk
 
Threat Hunting
bySplunk
 
Make Your SOC Work Smarter, Not Harder
bySplunk
 
Operationalizing Security Intelligence
bySplunk
 
Splunk Discovery Day Dubai 2017 - Security Keynote
bySplunk
 
Webinar: Neues zur Splunk App for Enterprise Security
byGeorg Knon
 
.conf Go Zurich 2022 - Security Session
bySplunk
 
Security crawl walk run presentation mckay v1 2017
byAdam Tice
 
Threat Hunting with Splunk
bySplunk
 
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
bySplunk
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
bySplunk
 
Threat Hunting with Splunk
bySplunk
 
Analytics Driven SIEM Workshop
bySplunk
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
byRene Aguero
 
SplunkLive Wellington 2015 - Splunk for Security
bySplunk
 

More from Splunk

PDF
Splunk Leadership Forum Wien - 20.05.2025
bySplunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
bySplunk
 
PDF
Building Resilience with Energy Management for the Public Sector
bySplunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
bySplunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
bySplunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
bySplunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
bySplunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
bySplunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
bySplunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
bySplunk
 
PDF
.conf Go 2023 - Data analysis as a routine
bySplunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
bySplunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
bySplunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
bySplunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
bySplunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
bySplunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
bySplunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
bySplunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
bySplunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
bySplunk
 
Splunk Leadership Forum Wien - 20.05.2025
bySplunk
 
Splunk Security Update | Public Sector Summit Germany 2025
bySplunk
 
Building Resilience with Energy Management for the Public Sector
bySplunk
 
IT-Lagebild: Observability for Resilience (SVA)
bySplunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
bySplunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
bySplunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
bySplunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
bySplunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
bySplunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
bySplunk
 
.conf Go 2023 - Data analysis as a routine
bySplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
bySplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
bySplunk
 
.conf Go 2023 - Raiffeisen Bank International
bySplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
bySplunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
bySplunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
bySplunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
bySplunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
bySplunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
bySplunk
 

Recently uploaded

PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
PPT
Carole BirdCarole BirdCarole BirdCarole Bird.ppt
byk4n3kictf
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
PDF
Huawei Datacom – How To Pass H12-892 On Your First Try
by591lab
 
PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PDF
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
PPTX
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
PDF
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PDF
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
Carole BirdCarole BirdCarole BirdCarole Bird.ppt
byk4n3kictf
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
Huawei Datacom – How To Pass H12-892 On Your First Try
by591lab
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
How Application Performance Monitoring Tools Are Used in Performance Testing
byhenrycavill30521
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 

Splunk für Security

  • 1.
    Copyright © 2017Splunk Inc. Splunk für Security Best Practices für Ihre Security Strategie Udo Götzen, CISSP Sr. Sales Engineer
  • 2.
    2 Agenda • Cyber SecurityLandscape (2m) • Splunk’s Data Driven Security Offering (10m) • Demo Time (Rest) • Next Steps / Q&A
  • 3.
    3 3 TRADITIONAL DEFENSESARE NO LONGER EFFICENT ENOUGH
  • 4.
    The Ever-Changing ThreatLandscape 53% Victims notified by external entity 100% Valid credentials were used 229 Median # of days before detection Source: Mandiant M-Trends Report 2012-2016
  • 5.
    Source: Verizon DBR Attacksoften start with an email: 50%CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR 23%OF RECIPENTS OPEN PHISHING MESSAGES 11%OF RECIPENTS CLICK ON ATTACHMENTS
  • 6.
    6 True Story: Stateof Michigan (SOM) – User account spoofing • Phishing Mail: Mailbox reached storage limit... • Outlook Web Access Portal custom design of SOM was rebuilt by attacker • Provide E-Mail, Username, Password and Date of Birth... To how many Users was the mail delivered? How many clicked? How many filled out? • Delivered to 2800 Employees before being blocked • 155 Employees clicked the link • 144 Employees provided their credentials Source: GISEC 2015 Key Note – Ex CSO Dan Lohrmann
  • 7.
  • 8.
    Structured RDBMS SQL Search Schema atWrite Schema at Read Traditional Splunk Splunk Approach to Machine Data Copyright © 2014 Splunk Inc. ETL Universal Indexing Volume Velocity Variety Unstructured
  • 9.
    9 Turning Machine DataInto Business Value Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance and Fraud IT Operations Business Analytics Internet of Things and Industrial Data
  • 10.
    SECURITY USE CASES In SECURITY& COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS MONITORING OF UNKNOWN, ADVANCED THREATS INCIDENT INVESTIGATIONS & FORENSICS INSIDER THREAT Splunk Can Complement OR Replace an Existing SIEM INSIDER THREAT
  • 11.
    11 Products for Securityand Compliance Splunk Enterprise Security 390+ Security Apps Splunk User Behavior Analytics Palo Alto Networks FireEye Symantec DShield DNS OSSEC NetFlow Logic Cisco Security Suite F5 Security PCI Compliance Active Directory Blue Coat Proxy SG
  • 12.
    COLLECT STORE AD-HOC SEARCH REPORT INVESTIGATE CORRELATION INCIDENT RESPONSE MANAGEMENT SECURITY OPERATIONS DASHBOARDS MACHINELEARNING HIDDEN THREATS ANOMALIES BEHAVIOR ANALYSIS PEER GROUP ANALYSIS VISUALIZE INDEX LOG PRE-BUILT & NEW CONTENT DETECT UNKNOWN THREATS
  • 13.
    13 API SDKs UI Network Traffic Analysis Identity& Access Control Perimeter Defense Email Payload Analysis Endpoint Behavior Analysis Endpoint Change Tracking DLP Security Analytics Threat Intelligence Cloud Security Security & Compliance Landscape
  • 14.
  • 15.
    15 APT Transaction FlowAcross Data Sources http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web Data Sources .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment
  • 16.
  • 17.
    What is EnterpriseSecurity? 1 A collection of Frameworks Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response
  • 18.
    18 Splunk Positioned asa Leader in Gartner 2016 Magic Quadrant for Security Information and Event Management* *Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and CriticalCapabilities for Security Informationand Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is availableupon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Four Years in a Row as a Leader Furthest overall in Completeness of Vision Splunk also scores highest in 2016 Critical Capabilities for SIEM report in all three Use Cases
  • 19.
    Splunk and theSANS CIS Critical Security Controls The CIS Critical Security Controls (CSC) are a time-proven, prioritized, “what works” list of 20 controls that can be used to minimize security risks to enterprise systems and the critical data they maintain. These controls are derived from and “cross-walked” to controls in NIST Special Publication 800-53. They are also known as the Consensus Audit Guidelines (CAG). Formerly managed by SANS and the Council on CyberSecurity, the CIS CSC are currently governed by the Center for Internet Security (CIS) and are considered the “de facto yardstick by which corporate security programs can be measured,” according to the Cybersecurity Law Institute. Read the e-book: http://www.splunk.com/web_assets/pdfs/secure/Splunk-and-the-SANS-Top-20-Critical-Security-Controls.pdf Download the free App: https://splunkbase.splunk.com/app/3064/
  • 20.
    Splunk Security EssentialsApp Over 50 Search examples for use cases off the following domains: • Access Domain • Data Domain • Network Domain • Threat Domain • Endpoint Domain • Data Sources Used Download the free App: https://splunkbase.splunk.com/app/3435/
  • 21.
    Source: Verizon DBR IFIT HAPPENS TODAY? HOW LONG DOES IT TAKE YOU TO ANSWER UPCOMING QUESTIONS? 50%CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR
  • 22.
    22 Next Step: DiscoveryWorkshop What’s your Security Use Case? • Cost justification against your management • Success measurement • Prioritization • Scoping of data sources / data volume / costs • Establishing organizational processes • Data privacy justification
  • 23.
    Explore: How Travis Perkinsbuilt a SOC in the Cloud http://blogs.splunk.com/2016/09/14/trust- and-resilience-at-the-speed-of-business- how-travis-perkins-built-a-lean-soc-with- splunk-in-the-cloud/ Join: Our Community with Apps, Ask Questions or join a SplunkLive! event https://www.splunk.com/en_us/community.html Try: Splunk Enterprise Security in our Sandbox with 50+ Data Sources https://www.splunk.com/getsplunk/es_sandbox Q&A Thank you

Editor's Notes

  • #4 A fundamental change is going on in the threat landscape. Traditional defenses are no longer enough. While the User Interface might look nice a fundamental shift is undergoing. With more and more cloud and software as a service perimeter security is more and more challenged. Also with the digital transformation new services need to be protected and just protecting systems is no longer enough. Identity becomes the new perimeter that needs to be protected.
  • #5 There are three numbers in the cyber security statistics that prove this trend, and we should pay close attention to: 100% of breaches are done using valid credentials; And it still takes average 229 days to detect a breach; With all security technologies deployed in the enterprises, there are still 53% of breaches are first reported to the enterprise by a 3rd parties (FBI, SS)
  • #6 Verzion Data Breach Report 2015 – Section Phishing – Page 16-18
  • #7 At GISEC2015 in Dubai – a large Security Show – Michigan‘s Ex CSO Dan Lohrmann hold a keynote and mentioned as one of the top concerns for CIO‘s is sophisticated phishing attempts. He showed a real sample where they faced an targeted attack. To over 2800 users e-mails have been sent that their mailbox reached the size limit and to increase them temporarly they should logon to outlook web access. Within the first hour – 155 employees clicked the link with a faked outlook web access page – even the customer colouring and design they use at the State of Michigan was done. 144 employees provided their credentials. If that type of attack happens – you can‘t avoid it – you need to have the right procedures and technology in place to react quickly.
  • #8 Looking at the typical data sources used by legacy SIEMs is not enough. It would be like boxing yourself into a tight space and having to fight against your attackers and defend against your threats from that position. You need to be able to see outside the box, go beyond your traditional security solutions and gain security insight from all your data – for example e-mail tracking logs to know who got the e-mails, web log to know who
  • #9 The rise of big data has forced IT organizations to transition from a focus on structured, relational data, to accommodate unstructured data, driven by the volume, velocity and variety of today’s applications and systems. As the data has changed from structured data to unstructured data, the technology approach needs to change as well. When you don’t know what data types you’ll need to analyze tomorrow or what questions you need to ask in a week, flexibility becomes a key component of your technology decisions. The ability to index any data type, search across silos and avoid being locked into a rigid schema opens a new world of analytics and business insights to your organization. Schema at Read – Enables you ask any question of the deal Search – Enables rapid, iterative exploration of the data along with advanced analytics Universal Indexing – Enables you to ingest any type of machine data Horizontal scaling over commodity hardware enables big data analytics
  • #10 Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. Splunk software and cloud services reliably collects and indexes machine data, from a single source to tens of thousands of sources. All in real time. Once data is in Splunk Enterprise, you can search, analyze, report on and share insights form your data. The Splunk Enterprise platform is optimized for real-time, low-latency and interactivity, making it easy to explore, analyze and visualize your data. This is described as Operational Intelligence. The insights gained from machine data support a number of use cases and can drive value across your organization. Today we will focus on Security.
  • #11 If we talk about Security there are different categories where you can map your use cases and requirements to. The quickest win is to start with building capabilities for incident investigation and forensics – so in case something goes wrong in your environment you can ask questions how an attacker got in, what data was accessed and you can properly scope breaches and security incidents. You can also start hunting for threats in case you assume you’re already breached. Then you can go into the pro-active step with monitoring your security controls and policies through compliance monitoring. This can be external compliance regulations like PCI, GDPR, ISO2700X or even tracking your Internal IT Policy. Then you can do real-time monitoring of known threats – every of your security solutions like IPS, IDS, Vulnerability Manager, Firewall, AntiVirus, VPN Servers and more have all their own dashboards and events – you want to have a centralized security posture to be able to ask: Which security walls in my organization did a specific user or system hit. This allows you also to measure the efficiency of your security tools for example. Then you can use the data to do own powerful correlations with our powerful splunk search language to detect unknown threats and combine security events and non security events like activity data. You can enrich data with threat intelligence and apply risk scores for aggregating notable activity. Last but not least you can also analyze and detect insider threat. This can be on one side malicious insiders who might leave the company and take personal data with them as well as hapless users who had been tricked by social engineering or phishing and their account was taken over by an external attacker which then use the credentials for their attacks and accessing your networks, e-mail mailboxes etc.
  • #12 The Spunk Security Intelligence Platforms consists of multiple components. Foundational to the platform is Splunk Enterprise, our core product. Every Splunk deployment includes this for indexing and storage.  Using this alone, customers can perform searches and easily build reports/dashboards from their data.  A variety of applications can be installed on top of the Splunk Enterprise, ranging from 3rd party vendor apps, community developed apps and Splunk Apps. You can build apps on top for your use or to share within your company. Apps are a collection of reports, dashboards, and searches purpose-built for a specific use.   Our premium security app is the Splunk Enterprise Security. It provides out-of-the-box security workflow, dashboards, reports, correlation rules that bring together security and infrastructure technologies across your company. Any of the apps can be mixed-and-matched to achieve the desired level of functionality. 
  • #14 To provide a complete, end-to-end view into the environment and to defend against sophisticated threats, including malware and APTs, security solutions must provide broad and deep coverage with the security and infrastructure elements. Organizations need a platform that provides out-of-box support and allows any technology/security/infrastructure device to be supported—this helps unify what has traditionally been silo efforts. Splunk Enterprise is a platform for machine data and provides visibility across these silos. The Splunk platform also provides role–based access control, which allows different people across the organization, including the security team, to access the data they need as part of their jobs, yet allows them to collaborate and see things across the environment. This is critical when orgs need to determine if an issue is a security, IT operations or an application issue.
  • #18 One way to answer the question “What is Enterprise Security?”, and the way we’ll look at it today, is to consider the Frameworks that comprise it. Today we’ll focus on these 5, but we’ll do so in little bit different way. Instead of showing you how ES leverages these frameworks together to meet general security problems, we’re going dive deeper and show you how to treat the ES frameworks as building blocks that can be assembled to meet complex use cases in novel, and perhaps non-obvious ways. That might mean using a little-known ES search macro directly in core Splunk; or it might mean making a call to an ES-specific REST endpoint; or it might mean showing a bit of Python code that connects ES to an external service provider. The ES frameworks, along with some very nice dashboards, and of course your organizations security data, make up ES.
  • #19 Gartner disclaimer: Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.  
  • #22 Verzion Data Breach Report 2015 – Section Phishing – Page 16-18
  • #23 We at Splunk not just have great Software. We want to ensure customer success in all we do with your organization. We know how amazing our dashboards look like and there are no limits yet we have experienced on the technical side with our strong platform foundation. However no limits and not putting you in a pre-definied box can from time to time be challenging – so knowing your security use cases is key. What is the final goal of the solution you’re looking for? Your use case will lead that you get more then nice dashboards – the use case ensures that you have actionable information and findings. The better the use case the more successful you will be! We can help and guide you to the journey to collect your use cases. We have a use case discovery workshop available as well as many inspirational customer stories to share! We can map them out together with you, apply them to your organization, scope the volume and costs as well as organizational processes to establish – then we can prioritize them and start our joint Journey!
  • #24 The best part is that Splunk is really easy to try and deploy.   We have multiple options for getting started: - Try out Splunk Enterprise, Splunk Cloud, or light with our free downloads or online trials. - Or try our free software download. The free Splunk Enterprise download is the same product that scales to ingest petabytes of data per day. - Already running with Amazon Cloud deployments? AMIs for Splunk Enterprise and Hunk make it easy to get up and running.